A Review of the Best News of the Week on Cloud Security, DevOps, AppSec

Google Has Stored Some Passwords in Plaintext Since 2005 (Wired, May 21 2019)
On the heels of embarrassing disclosures from Facebook and Twitter, Google reveals its own password bugs—one of which lasted 14 years.

Fifth of Docker Containers Have No Root Passwords (Infosecurity Magazine, May 21 2019)
Security oversight could expose them to exploitation

Slack Flaw Allows Hackers to Steal, Manipulate Downloads (SecurityWeek, May 17 2019)
A recently patched vulnerability in the Slack desktop application for Windows can be exploited by malicious actors to steal and manipulate a targeted user’s downloaded files.

8,000 Security News Articles
Since I started this curated newsletter in June 2017, I’ve clipped ~8,000 articles and narrowed them down into the best 20 per day. This is my favority way to stay abreast of the industry. Readers like you make this all worthwhile.
Thanks! – Lucas Samaras

Share today’s post on Twitter Facebook LinkedIn

Unsecure Chtrbox AWS database exposes data on 49 million Instagram influencers, accounts (SC Magazine, May 21 2019)
An unsecured Chtrbox database hosted by Amazon Web Services (AWS) and discovered by security researcher Anurag Sen has exposed the records of more than 49 million Instagram influencers. Data scraped from the accounts include bios, account details like number of followers, location information, email addresses, phone numbers and profile pictures as well as a calculated valuation of each account, according to a TechCrunch report.

AWS Security Profiles: Tracy Pierce, Senior Consultant, Security Specialty, Remote Consulting Services (AWS Security Blog, May 17 2019)
“You’ve worn a lot of hats at AWS. What do you do in your current role, and how is it different from previous roles? I joined AWS as a Customer Support Engineer. Currently, I’m a Senior Consultant, Security Specialty, for Remote Consulting Services, which is part of the AWS Professional Services (ProServe) team.”

Security: a Missing Ingredient in Many DevOps Implementations (Infosecurity Magazine, May 15 2019)
The most successful organizations of the future will make DevSecOps a cornerstone of their business operations

Killer SecOps Skills: Soft Is the New Hard (Dark Reading, May 20 2019)
The sooner we give mindsets and tool sets equal bearing, the better. We must put SOC team members through rigorous training for emergency situations.

DevOps Repository Firms Establish Shared Analysis Capability (Dark Reading, May 17 2019)
Following an attack on their users, and their shared response, Atlassian, GitHub, and GitLab decide to make the sharing of attack information a permanent facet of their operations.

Forbes subscribers warned of Magecart threat skimming credit card details (Graham Cluley, May 16 2019)
The notorious Magecart malware, that blights online stores by stealing payment card details from unsuspecting shoppers at checkout, has claimed another high profile victim.

Forbes Site Up, Then Down Again after Magecart Attack (Infosecurity Magazine, May 16 2019)
Forbes.com was hit with credit card skimming malware.

Facebook restores disabled ‘View As’ feature used in 2018 breach (Naked Security – Sophos, May 16 2019)
The feature still lets you see how others see you, but without leaking access tokens.

Hack on Stack Overflow exposes private data for ~250 users (Ars Technica, May 17 2019)
Intruders who accessed production system remained undetected for at least five days.

AppSec attack and defense: The password domino effect (SC Magazine, May 20 2019)
“To summarize, I presented how the obfuscation (i.e., replacing parts of the email string with “*”) of the email account used for account reset wasn’t standardized across different websites. Thus, leaving the attacker with a simple task of reconstructing the string by visiting the different sites. Next, I showed how answers to what were supposedly secret questions in the account reset procedure were actually publicly available in the user’s social media accounts.”

WordPress plugin sees second serious security bug in six weeks (Naked Security – Sophos, May 21 2019)
Researchers have uncovered another serious bug in WP Live Chat that could lead to the mass compromise of websites.

TeamViewer reportedly hit by Chinese hackers in 2016 (SC Magazine, May 21 2019)
TeamViewer announced it was the victim of a cyber attack which took place in 2016 although some sources claim that hackers were in the firm’s network as early as 2014. The data breach was reportedly the result of threat actors exploiting the recently patched Winnti backdoor trojan, a malware first seen used by a group…

Firefox Now Has Fingerprinting and Crypto-mining Protection (SecurityWeek, May 21 2019)
Mozilla this week released Firefox 67 to the stable channel with improved protection against tracking and with fingerprinting and crypto-mining protection capabilities.

PayPal’s Beautiful Demonstration of Extended Validation FUD (Troy Hunt, May 21 2019)
“Sometimes the discussion around extended validation certificates (EV) feels a little like flogging a dead horse. In fact, it was only September that I proposed EV certificates are already dead for all sorts of good reasons that have only been reinforced since that time. Yet somehow, the discussion does seem to come up time and again…”